I’ve run vulnix --system
on my server which is on the 20.09
branch and it showed a LOT of open CVEs which is a bit concerning. The worst of them is imagemagick-6.9.11-60
with 81 open CVEs which go up to a score of 9.8
(and some of the CVE’s date back to 2016).
There is also security roundup 99 which detected 79 of these CVEs for imagemagick.
Now I’m wondering a bit how e.g. the CVE-2016-5841 is still apparently unresolved after over 4 years, plus I have some more questions :
- Are these CVEs mainly unpatched because of missing interest/manpower?
- Vulnix has an entry about whitelisting in the readme. Is there already a whitelist of CVE’s for which an issue already exists? If so, can this list be made accessible?
- Is there some kind of “policy/guideline” to decide which CVE’s should be patched and which not (of course as there is not enough manpower “as much as possible” is probably fine
)
- Vulnix reported CVEs for 37 Packages built on my server and some of them aren’t in a security roundup. I could easily identify some of them as not applicable to NixOS (e.g. debian packaging problem), but wasn’t sure of others (e.g. NVD - CVE-2020-8625) which may need to be patched for NixOS 20.09. Should I just create Github issues for these and CC the Maintainers or is there a preferred way to handle them (e.g. so that they won’t appear in a following roundup)?
- The package
imagemagick
currently doesn’t have any maintainer listed, but is obviously a dependency for lots of other packages. Is this a bad thing (and part of the problem) or are such prominent packages managed in a “more organically” way and therefore don’t need a maintainer?